This project clearly explains and detects the brute force login attempts on a windows machine by moniroting Event ID 4625 whith the help of windows event viewer and Sysmon. It states how the failed login events can scanned for a Brute-force attacks and it comes under MITRE ATT&CK technique (T1110).
- This project shows how ro detect the failed login attempts (Event ID: 4625) which uses the Sysmon help to make it visible over system-level activity. Then the next process filtering and reviewing is done in windows event viewer. It shows MITRE ATT&CK T111O- Brute Force and demonstrates how the brute foce can be spoted with help of native tools.
- Winndows Event Viewer
- Sysmon
- Custom Sysmon config (XML)
- Screenshots provided
- It shows that how we use windows tools which can detect brute-force without a full SIEM this can be used by blue teamers, SOC analysts.
#Screenshots
-
Shows filter applied , Sysmon rules and configuration view, Failed logon entries showinf time,source,and account.
- T1110-brute Force ( This shows audit trail logo whcih is considered as a evidence of possible brute-force attacks)